I should add blueray device and tv as well since all run on the system at some point or another (netflix and so on)

I would also like to know if the FIX means i have to install contant guard. I dont think its on 1 computer, i never installed it directly, however i do see an icon for it.

Hi AG2012,

Here is the article about where we are getting the data. http://www.fbi.gov/news/stories/2011/november/malware_110911

According to that data, something behind your modem queried one of the DNS servers. The only way this would happen, is if the bot queried it.

If you've gone through our steps and https://amibotted.comcast.net says you're clean, you shouldn't need to do anything else. You can also check http://dns-ok.us to see if you're still using the bad dns servers.

I am not currently seeing any activity from your account since the 17th.

Thanks,

Adam

For some reason, I had to change my log on name to reply. However, I went to the the amibottted.comcast site to double check. I found it on the forum. I checked all the computers and they said they detected a bot. It was only detected after several checks. The other site still showed green.

I ran the fixes they suggested. Although it showed 6 different bots tried to attack or use our computers, only 1 actually showed up using the eraser on one computer. The interesting thing is that the attack supposedly accured on the date internet was reportedly messed up in our neighborhood. At the time it shows the bot occurred, our internet and everyone elses in our neighborhood was down. I had trouble reconnecting on 1 computer afterwards. Anyway, I did finally find 1 computer that was infected although it was not online at the time it showed the bot had activated. The person was not in the house that used the the computer and our neighborhood had "reported problems in our service area and they were aware of the problem."

We ran all the fixes on the computers. The 1 infected was not allowing nortons to work or open. We chated with Nortons, and they double checked everything on that computer and reinstalled nortons. They were extremely helpful and appeared to be dealing with alot of issues from comcast costumers. They asked if I had been a long term costomer, double checked the computer was safe, reinstalled nortons and got it to run correctly- all WITHOUT TRYING TO SELL ME REPAIR SERVICE! I definitelt give nortons credit for helping when NOBODY would help through comcast with a credit card.

 I reset the modem and encripted the security. I hope nothing goes wrong. Im still wondering if something could have went through an android tablet. The day internet went down in our neighborhood (which was a reported problem through comcast), I opened my tablet and it downloaded some updates. It was new and the only internet I had. Now Im not sure if the check should go through it as well. Is the check the same for tablets?

If anybody can answer if android powered devices like tablets and phones should be "scrubbed" and go through the steps, please let me know.

Also is there a way to double check if the bot is removed from the computers or network?

 You say the last activity was on 17th. When I ran scans, it showed the the last activity on the 13th. I had been without internet and comcast was trying to restore service to our area on the 13th. We did have it back on 17th but 1 computer was having trouble staying hooked up wirelessly for a couple of the days during that week (not the 1 the one the nortons eraser found a problem on). Also, the computer we found had a problem was the only one being used in the house on the 17th, if this is the last activity of the bot you are showing.

I had left town with the other computer that had been having wireless hookup problems during that week. Having a time stamp for that day would have really helped determine the computer it was on. The "infected computer" we found was the only one in town on the 17th and used on the internet. I understand not providing all of them, however more then 1 day could help customers determine which computers.

We had to keep hardwiring in and reconnecting the network with the "unaffected computer" that week. While i did reset the wireless device, the modem is through comcast. they had me hardwire to my modem on the day it reported the bot around the time it showed up. I would get internet back and beable to restore my wireless connection by disabling and enabling it through the adaptor settings. During this time, we did send refresh signals through the modem several times. Since the problem didn't show up on the computer that was having trouble connecting, Im wondering if it may also have a problem even though the scrubber didn't locate a problem.

 It stopped having problems with the connection after the "problem in our neighborhood had been fixed through comcast"

Since it occured during a "known problem in our service area that appeared to be affecting our house," I wish they would actually tell me if the issue was related. I had not received any notices, popups, e-mails or anything like that before the issue in our neighborhood. It appears to be something that occurred while fixing our "known issue in our service area". If so, I want to know if modem settings have to reconfigured after DNS bot remover. I did the wireless but not the modem.

Comcast should be taking responsibility for some of this instead of working so hard at selling their service. I have proof I called at the time it occurred, with phone records several times that day. It's also pretty bad that Norton's has to help with the issue for you since nobody wants to help at comcast. I pay way to much for this and Comcast needs to check their service and see if its their systems are leading to some of this problem.

 I don't think it occurring at the same exact time as a "known issue in my service area" and on a day when internet was up and down, with several refresh signals sent during that time is JUST A COINCIDENCE 

Also, is there a way to verify if the bots  gone. Nortons was kind enough to double check the computer we had found something on. They only checked 1 though, not the rest. Since comcast can't verify what computer, we can only guess by trying to determine what computer was trying to use internet at that time, it would be nice to have a way to check if it's still reporting an issue.

At the time it reported bot activity with DNS changer, the computer I fould it on was off and on online and the reason I was calling comcast to verify a problem. It was a different computer that intermittedly had trouble getting wireless connection so Im worried that it may still have a problem although the scrubber found nothing on that computer.

More then 1 day with time stamps would have been helpful to show. It did help to isolate when it could have possibly went through. However, I could definitely troubleshoot better if I had information on any other times it showed up. You said the 17th was the last time. Our check showed last activity was on 13th. alittle bit more would help verify which computer. ONLY 1 computer was in the house that day and could have been on network!!!!!!!!!!!! The rest were turned off, packed in the back of a car, and at a hospital in another state on the 17th!!!! Slightly more timestamps would have definitely helped

However, now I just want to double check if its gone and how do we make sure? Can the accounts be checked for activity before march 6th to verify there are no more problems?

 Also, whether android devices (tablets/smartphones) should be scruibbed and go through the same process? 

AGhelp,

I understand your frustration. The issue in your area was just a coincidence.

As for this specific bot goes, as long as none of your anti-virus are finding anything, and you're not seeing any entries in AIB and DNS-OK is green, I think you're ok. I'm still not seeing any activity from your modem, which is a good thing. We mention only one day because that is the only day we saw the activity.

To be clear, if you're still infected with this bot on March 6th, we will not turn your service off, BUT you may no be able to browse the internet (or use it in general) because of how the bot works. We just don't that to happen and are trying to help you make sure it doesn't. Again, you can check with the AIB site (From home of course).

-Adam

Thankyou for the update telling me that it's not showing up now at least.

Everything was sponged, encrypted, and setting changed on wireless. I haven't opened the tablet yet to check it cause I can't find out information on whether it can affect android. I had used it the day it was reported on the check for amibotted through the wireless access at our home. It was around the time it showed the bot had shown up on the network. I'm just not sure whether I should run the same fix on it as well, if it can be. I also have comcast mobile on most of our android based phones. I've turned off access to wireless for now until I can determine whether android based mobile or tablets can be affected.

The only reason I thought about the the trouble with service is that one of the times I called and spoke to a representative, they sent out refresh and had me hardwire into the modem itself. I wasn't sure if something needs to be reset on it. I was out of service from at least 9am. I called in and just refreshed the signal. Some computers gained access but the unaffected computer wouldnt hook back up. I had refreshed by the representative an hour after it says the bot was detected. I honestly dont know if I had turned on the affected computer to check access before I called in to speak to the representative.

We are trying to use the information we have to try to isolate where we may have gotten the bot at the time it showed up. If it was a site, download, or update, we want to try to avoid it happening again.

The only thing we tried on that day with the computer that was affected was to see if there was a connection. However, at some point the Nortons software on that computer stopped working completly. It couldn't be opened, updated, and it showed expired liscense.

It's possible that when a connection was reastablished in our area, an automatic update came through and caused the problem. I'm only giving the information we have noticed in hopes that it helps isolate risks for everyone. It may help others with problems, help anti-virus programs be more effective, or help the support team combat the issue. I also don't want to accidently cause the problem again.

 Could someone please tell me whether I should do the fix to my android based tablet. It's a thrive and we had just got it so I'm not sure what type of threats could actually go through it. I'm afraid to turn it on and have to go through this all over again if I'm suppose to use the fix in it to.

Again, I was frustrated and computer problems always come at the worst time. I just feel that I could have been treated alittle better when it happened and it's sad that the only way comcast would help was if I paid $100 to $130 on the spot. I was also blantly lied to about whether I could do it myself and that they would return all the money back if they didn't find anything. They never once mentioned set up costs were nonrefundable. Plus the inability to bill your account is not helpful to customers that may not have it a week before the March 6th deadline. They also stated i couldn't use my "infected" computer anywhere after the deadline. I was very disappointed in the way things were being handled.

On the other hand, Norton's was extremely helpful in double checking I had cleaned the bot and no longer had the issue. It took 20 minutes for them to double check my fix, get my norton's back, and they did not charge me even though i believe it's a service they generally charge for.

Anyways, I'm grateful for the help and would still like to know if the android systems on tablets should go through the same fix

I am receiving the emails and the received the letter telling me about the DNS changer bot etc....on my Mac. I just ran both the Comcast DNS checker and Bot Checker and both came up clean......if this is the case, why am I receiving these emails (most recent one this AM) and letter?? Also, I think it is BEYOND wrong for Comcast to charge customers for technical assistance with this issue.....as if we dont pay enough already for your service?? Any help would be appreciated. I purchased Virus Barrier X6 for my Mac and now use that rather than Norton. In my opinion, Norton did little for my Mac

If you look at the topic:

Constant Guard Alert - Alureon Malware Detected (but nothing ever found)

It should help provide information on macs and better info on removal. I would run the amibotted check several times. Mine didn't show up until i ran it a couple of times. The nortons "eraser" can be ran without having nortons antivirus. It's free and constant guard will send you to the "do it yourself" site after you run the amibotted check if your computer shows one.

Make sure you also change your router info or it will keep reporting the issue and you may lose access after the 6th. It's the third step and has to be done based on your particular model of wireless connection.

Thank you. How do I go about changing my router info?

I have a Mac so running the "eraser" is not an option.......I am beyond frustrated with this

Personally, I went to the manufacturers website and located my model number for the router.

Since it's older, I had to look under F and Q's to locate how to change router password.

Luckily, I had originally used default so it was easy to redo the settings for the network. If you had installed it with your own name and password before, you may need to take additional steps.

 I ran the installation wizzard as the administrater and changed it to my own name/password. I then added an encription. When you open your computer, you will have to re-connect to your new network and type in your ecrytion key you added. This should reconfigure your network and add security to your network.

I know some people say to just reset it to default. You can do that it you did not use default settings before. Otherwise, you will basically be reconfiguring to the same settings and it won't help.

I found it easier to go ahead and change it just to make sure the router was not configured with the same information. I would rather be safe then sorry later.

If you do change it though, don't lose the information. I'm not sure how easy it would be to retrieve the settings afterwards.

Hope it helps

I know on the website for do it yourself, it offers something for both windows and macs.

I believe its

http://xfinity.com/dnsbot

I'm not sure, but I believe the eraser can be used on either. Either way, it should provide an "eraser" for your system under the mac. I know the nortons eraser did not require you to have norton antivirus to download and use it. I saw another post saying they had used it for the mac.

Then it will say something like a one click fix. The third step should be to change router configuration. Make sure to scrub all computers in your house before doing the router. You don't heve to, but it may save you from re-doing it afterwards if their detecter missed one of the computers.

I can't remember where I saw it, but the thread on bot education gives additional sources to erase the bot as well. That maybe where I saw the more in-depth information on macs. You may want to search the forums fro mac and bot information and it could give you the thread.

Believe me, I understand your frustration. I began posting to help others after I had to deal with this and comcasts lack of assistance for over 3 days. I'm really disappointed in the way this issue has been handled.

unable to fix it and refuse to call their number and pay their fees. I (over)pay in my opinion for what I get because there is a lack of competition. This is ridiculous

If call the security people at comcast, NOT the paid assistance, they can report whether your computer is still reporting bot activity. They put you on hold forever but they do have access to the information. Reps are useless.

Direct number should be:

1-888-565-4329

 I refused to pay as well and felt I pay enough. They were extremely rude and flat out lied to me to try to get me to pay. Also their START UP fee is not refundable, in case they act like it is if no bot is found.

Unfortunately, I don't know macs to well.

However, it may not actually be showing activity anymore if you've scrubbed it. It maybe reporting something from a few days ago.

The security team can tell you when the last time it was showing activity. Did you change router settings/configuration? Were you able to run a scrubber/eraser?

There are some other types of scrubbers/erasers on the bot education page that may work better for mac

I thought you might want to check the thread:

bot on my mac.

Some say they can't be infected but they had some issues through their mac that looked like a bot and it's a different type of problem. May be what you're going through

unable to see link to mac thread???

If you look at the top of the page, there's a search option for just the board (2nd one), above posting guidelines link. Search the terms bot on my mac

I looked at one by mccolorodo. There are other threads listed as well on the search. More inforation may be available there that relates to your situation

patsrock,

 I am not sure if this is what you need, but what worked for me was to reset my router, by holding a small screwdriver in the reset hole for at least 30 seconds while it was plugged in. I found a website to help me with the details, and I had to set up my router again by going to airport utilities (Finder>Applications>Utilities>Airport Utility) . It was the only way I got the dnsbot alert from comcast to stop.

 Joe

 I use two macs with airport  

I just read your email and I am upset as well. Have you received any answers to yor questions? Do you feel that your computers are safe now?

Why is Comcast involved in this?  isn't this a problem that should be handled by a company that does this for a living?(Symantec and McAfee?)  I have Mcafee EPO on my network with virus scan enterprise, site advisor and HIPS installed on every machine.  I didn't get an e-mail or letter.  Did only Norton customers get this e-mail or letter?

I definetely was not happy with comcast.

After I went through the steps on all my computers and got help from nortons and the forums, I have not had any reported bot activity. Double checked them all today. On the advise of others, I actually configured my router again with the WPA - PSK type of connection just to add more security.

I have also password about everything I could think of.

 I had got a phishing e-mail that looked like it was through comcast before this occurred. I contacted the fraud department but never heard anything. I didn't open emails from them for awhile. On another email account, I did figure out they contacted me the day after the bot had been noticed. When I originally made the check, the amibotted check showed the intrusion during a time my internet was down along with others in our neighborhood. I got the "we are aware of trouble with phone and internet service in your area" recording when I called comcast. Yet, this was the exact time they said the first bot activity showed up. Our system was "refreshed" at least a couple of times that day.

 I also found that about 2 weeks before, I got a copyright infringement notice, approximately the time I had the phishing e-mail. I feel that they are all connected in some way and comcast should be more willing to help customers when they have an issue like this. This is obviously widespread from the information on the forums.

It would have been nice to be forwarned a security risk was possible - 1 e-mail, especially since regular anti-virus doesn't appear to fight it.

Give suggested steps ahead of time. I understand we all should know this but in honesty we don't always think about it. We have so many devices hooked up wirelessly, range is suppose to be limited on a router, and I probably didn't consider all of the hack type programs that are out there to by-pass simple security.

Also, if an issue is known, don't tell me that my account is compromised, the only way I can save it is to provide you $130 immediately with a credit card (which sounds like you're trying to scam for my credit card when all other services provided can be billed directly to your account), and all people involved with costumer contact should at least be informed of the problem. The first person said they had no idea what it was and thought it was a phishing scam. Then they directed me to someone that only wanted to sell me their service "at no choice"

I had done all the fixes myself but I was extremely happy with Nortons for them taking the time to double check what I had done and helping fix the Nortons. We were not sure if it happened because of the bot or the eraser. This was normally a PAID service. They did it for us no questions asked and in 20 minutes.

Comcast really needs a lesson in costumer service. I pay alot as I'm sure most of us do. I honestly felt like reporting them to someone because I had never had such a horrible experience and it came at a time when family illness had hit our family.

The assistance people made me feel like I had to chose, keep the internet that we have to have for schooling reasons or have money to go see the close family member that's been in the hospital for a month and been diagnosed with cancer.

Not my best experience or week but grateful I think it's taken care of. I guess I won't know for sure until tomorrow.

Sorry for the vent, still extremely upset with the service I got

As far as I know, it wasn't only norton costumers. Comcast uses constant guard on their end to determine if you have bot activity. It's actually something to do with the FBI sting that happened last year from what I read. The have information about it.

Nortons was just the ONLY people willing to help fix the issue. As far as comcast, I certainly do feel they should have been MORE involved then they were.

Peopl'es computers have been rerouted from some Rogue servers now anytime their computers tried to connect to some rougue network that the FBI shut down last year. I didn't even know about the "bot" but it's definetely something I wish they would have announced to all costomers along time ago.

I would have been happy to see it on their homepage for that matter, with links to places to learn more on protecting yourself

Hey Aghelp,

Sorry to hear you did not get the best quality service you should have.  Please be aware we did notify all Comcast customers that appeared to be infected with the DNSChanger malware.  We've been working very closely with Symantec (makers of Norton Power Eraser) and the FBI from the moment this news broke.  Our campaign to inform and educate our customers has included webpages, email notifications and phone calls. 

This has been a completely new and unique kind of threat facing Internet users across the globe.  We've done a tremendous amount to help our customers and at the same time we've learned a tremendous amount how we can do it better next time.  Unfortunately, given the way malware has increased over the past few years, it is likely there will be a "next time."

It sounds like your issue is now resolved.  If that's not the case and you need assistance, please feel free to send me a private message.

Thanks.

I am appreciative of the help I did recieve, frustrated but hopeful it's taken care of. I didn't get a written notice until a week before the deadline. It appears I did recieve an email after the second time, however someone tried to fish for information so I hadn't really openned the email in case it was another attempt. I hadn't even looked at the primary account since I rarely use it. I actually use a secondary e-mail for everything.

On the first date and time of showing bot like activity, we didn't have internet in our area. It just seems like I must have experienced a string of coincidences and they occurred at a very bad time. I had actually never heard of the danger until I recieved the letter in the mail. It was lucky I wasn't out of town.

I do wish I would have seen something on comcast homepage. I look at it several times a day and never seen anything about a threat.

I really did recieve a "we are the only the ones who can fix it" or "you can attempt a computer technician to look at your computer but they may not take care of the issue" response from the paid service.

I can barely keep up with the bill increase as it is, and nortons really did help.

I should note, representatives at comcast had no idea what was going on. On the first date the bot showed up, was the date I found there was"trouble with your service" in our area and internet was down.

Representatives should be aware of the issue, they had no clue and said they normally know about bot alerts.

I understand that you guys only had a few months to deal with this, I had 1 week and have no idea how it happen. I'm also worried because I recieved a notice for infringement which I did not do. Nobody probably cares but when you don't do something wrong it's very hard to understand why you can't at least let someone know you didn't do it and would like to make sure nothing else happens. Comcast paid assistance made it sound like I would go to jail if I didn't pay for their service, with a credit card, after I had just received a phishing email, and I had to fix the issue now or lose service.

The report date I recieved on amibotted was also on a date our internet and the neighborhoods internet was "having trouble" At the time, I wasn't able to connect and had spoke to comcast.

I felt like a bad guy when all I wanted to do was find out if it was real and how to fix it.

I've seen your posts, you seem like you try your best and the customers do appreciate your help.

Hopefully all our computers will be up and running tomorrow. I have a family member starting chemo and can't deal with much more.

Thanks for all of your help

So you don't offer any info regarding MAC identification of this bot?  That's frustrating.  You just tell your customers, "something behind your router has done something bad" and it's up to the customer to fix it.  Many customers have all sorts of stuff running on their network  like  phones and gameboxes, etc.  The customer has to do your job?  My monthly Comcast bill never mentions that I will be getting fear mail.  I have a customers computer in front of me that's fine but it's here due to your fear mail.  later today I have to go to her house and deal with the kids xbox and her vonage and whatever else she has.  Should she send you guys the bill I'm going to give her?  You guys did supply her with the Anti virus that seems like it was useless against this bot.  As a gift for my customer I'm supplying her with some effective antivirus and other security software for free instead of the junk you gave her to use.    HA...."Constant Guard" sure is an ironic name for your "security suite" isn't it? 

I had to request inforation on other types of wireless devices through another thread. Supposedly, there's no "known" effect on android and OS? systems. Not sure I'm saying right type. I was worried about android based tablets and phones. Honestly, I haven't tried them yet. I kept them off my network to see if I have connection to all computers today. We also have xbox, playstation, printer and son on. It took me 5 times of asking about the tablet before someone said it shouldn't be affected. Please let us know if other devices might also have issues and if their are any "known" ways to check them or fix the.

We did hook a xbox to the network, only cause they can't live without it. Hopefully it works and no problems - it's brand new and a replacement for one that had ring of death. It's hard to explain to a kid that they saved for something and it might mess up because nobody can tell you if the system can be infected or how to fix it.

Any info greately appreciated. Was going to wait until tomorrow to add on devices since I have no other way of checking.

bobpiquette, 

MAC identification could only be obtained through evassive inspection, which is not our intent.  We do offer assistance including https://amibotted.com which allows customers (and those helping customers) to identify the exact time and date we saw the bot activity.  

As I'm sure you're aware, anti-virus is the first step in protecting your computer, not the last.  Most AV products on the market actually cannot detect this bot, that's why several companies have come out with very specific programs that will detect it.  I'd recommend trying one out, like Norton Power Eraser.  

Hope things go well.

I wasn't sure if the other systems was the same as tablets and smartphones.

You had in fact said it couldn't affect the android and IOS, and I was grateful for your help at the time. I had asked in OTHER sections which did not get a reply back from the other person who helps out at comcast. He replied to other information but not the questions about additional devices.

I didn't think there were issues with dvd players, xbox's, and so forth after you said the tablets and smartphones were safe. Was just double checking when I saw the post about somebody was going to check all the additional devices in someone's house.

Thank you for clarifying, saved me a lot of worry and headache today. 

I saw you suggested using more then just anti-virus protection, especially with the threat of malware/bots becoming more common. You mentioned the norton's power eraser that was used to help this situation.

Should this program be run periodically or others? If so, how often would you suggest we run the program?

I was under the impression it does have the power to mess up stuff on your computer so I wasn't sure if it was good to use on a regular basis

I'm not as concerned about the mechanics as I might have sounded like in my prior post.  I'm just confused about why I've never recieved any correspondance from Comcast regarding other threats like new keyloggers, homepage hijackers and other malware or viruses .    Like I said,  I'm perplexed about the fear mail from Comcast. Security companies usually identify and write id tags for viruses, malware/spyware including bots and send out updates. There are far worse threats than this that are addressed on a daily basis but the securityspecialists usually don'y wave flags about it and freak people out.

 Like I said in an earlier post, my network is fine but I feel bad for those folks that this stressed out. 

The fact that Comcast wanted to charge to solve this problem is obscene. Doesn't constant guard provide malware protection?  I thought it was a suite of security products  

Total up what it cost for all the time effort and materials to send snailmail and phone calls to all your allegedly infected customers and it would have covered the 2 minutes and the bandwith that the comcast phone reps would use to run their automatic id and removal tools for no charge...oh yea and kept your customers happy.

I won't complain about this anymore.  I hope everyone had a smooth "B" day(B for bot).

I was glad they informed me about it. However, I think FBI involvment was why they did "alert" people.

I would like more information provided to me. However, after phishing scams through something that looked like comcast, I'm leary. I just realized I may have also got a phone call that was phishing cause I thought it was funny they had that number. Unfortunately, the comcast home phone can never be given out by me because I have so many people calling for the previous people who had the number. I even got one thinking I could let them in their apartment. I pay for it but can't give it out.

I'll probably never know. Will just need to be more aware.

However, the security page lists threats. I would love to actually see this as one of the pages that flip on the home page. I'm not sure what it's called but it's where comcast shows top headlines, xfinity info sometimes, and topics of interests.

Most people (I'm generalizing) probably don't think to check the known security risks page. I didn't until now. What's listed: phone, email phishing scam, maleware threats, bots.....

I'm about to add it to my toolbar. I would prefer to see it when I open my homepage. E-mails and letters can be difficult to determine if they are real. For example, the letter I received did not have the correct city generally on my bill. It automatically made me suspicious. Then was told I need to hand over my credit card info to fix now. More suspicious.

It ended up a serious of events where I couldn't tell if things were real or not.

Direct access on front page as one of the slides would probably take out a lot time comcast spends verifying and working with costomers. It would also alert us quickly at our convenience by letting us see the recent threats. If we are infected, I appreciate the notice. I could of looked at the threat page and found it was ligitamate and started doing something.

Just my opinion

---

bobpiquette wrote:

I'm not as concerned about the mechanics as I might have sounded like in my prior post.  I'm just confused about why I've never recieved any correspondance from Comcast regarding other threats like new keyloggers, homepage hijackers and other malware or viruses .    Like I said,  I'm perplexed about the fear mail from Comcast. Security companies usually identify and write id tags for viruses, malware/spyware including bots and send out updates. There are far worse threats than this that are addressed on a daily basis but the securityspecialists usually don'y wave flags about it and freak people out.

 Like I said in an earlier post, my network is fine but I feel bad for those folks that this stressed out. 

The fact that Comcast wanted to charge to solve this problem is obscene. Doesn't constant guard provide malware protection?  I thought it was a suite of security products  

Total up what it cost for all the time effort and materials to send snailmail and phone calls to all your allegedly infected customers and it would have covered the 2 minutes and the bandwith that the comcast phone reps would use to run their automatic id and removal tools for no charge...oh yea and kept your customers happy.

I won't complain about this anymore.  I hope everyone had a smooth "B" day(B for bot).

---

bobpiquette,

Thanks for the feedback. We can't really see what's going on with your computers behind your modem, so it's difficult for us to identify things like Key-loggers and other viruses. This is something we're 100% sure of, and can detect very easily. It's also extremely important that we help our customers remove this bot so there isn't any interruption of service. You can imagine the impact of this when the DNS servers are shut down if we had not taken any action to inform people.

We do offer a paid service to get this issue resolved, but it's not the only option. The first option provided is a DIY option - some people just don't have the time or understanding to do it their self, so we also offer a paid option. Again, the choice is yours.

Argh! I received this letter everyone is talking about March 5th, spent the whole night checking and rechecking that I did everything right, even had my tech saavy boyfriend make sure both computers as well as my router and the flippin modem were all clean. Never found any sign of this DNS issue but we downloaded all the tools and jumped through all the hoops anyway. Lo and behold, about 5pm 3/6 my internet completely crashed. We were up til 11 trying to figure out what the heck happened. rechecked everything. Computers were clean. Router showed no sign of issues. Suddenly though, the modem has taken it off line. power cycling and restoring to factory and praying to the Internet Gods all proved fruitless. Even connecting directly to the modem was a useless endeavor. Not really sure what to do, how to progress forward. I feel like I was set up with less than 24 hrs warning and that even with all my time it all still went sideways. Thoughts? Guidance on how to proceed?

---

techilliterate wrote:

Argh! I received this letter everyone is talking about March 5th, spent the whole night checking and rechecking that I did everything right, even had my tech saavy boyfriend make sure both computers as well as my router and the flippin modem were all clean. Never found any sign of this DNS issue but we downloaded all the tools and jumped through all the hoops anyway. Lo and behold, about 5pm 3/6 my internet completely crashed. We were up til 11 trying to figure out what the heck happened. rechecked everything. Computers were clean. Router showed no sign of issues. Suddenly though, the modem has taken it off line. power cycling and restoring to factory and praying to the Internet Gods all proved fruitless. Even connecting directly to the modem was a useless endeavor. Not really sure what to do, how to progress forward. I feel like I was set up with less than 24 hrs warning and that even with all my time it all still went sideways. Thoughts? Guidance on how to proceed?

---

techilliterate,

A federal judge has given the ISC a one time extension to keep these servers online until July 9th, so the "B Day" as it's been called hasn't happened yet.

If your internet is down, I don't believe it's related to the DNS Changer Bot (Though you may still have it). Please call technical support.

Once you're back online, you can see if you're still infected with the bot by visiting https://amibotted.comcast.net and http://dns-ok.us

One thing to ask:

Did you actually change the password/ adnimistrator name on the router or rest it to factory? If it was the router, and you previously used the preset factory settings, resetting it to the same one probably did nothing. Change it again to a whole new name and password with whole new encryption for WLA (which ever one your router has that is the best type)

You will have to make sure you add the new information to each computer in order to reconnect to your router.

Despite some disagreement, your issue may actually be related to a bot infection. I had to run the check several times before it actually showed bot activity. As I've stated before, the time stamp of the bot activity was when MY INTERNET WAS OUT AND COMCAST REPORTED THEY HAD KNOWN ISSUES IN MY SERVICE AREA AND WAS WORKING TO FIX THE PROBLEM!!!!

Sorry, been told this IS JUST A COINCIDENCE.

If a bot can take over router or computer, I'm assuming it can cause connection issues for the computer user at the time. I would check and recheck, hardwire and wired with the amibotted site when it comes back.

I will almost bet that you will recieve another letter or notice of bot activity for yesterday. The amibotted site may even show the exact time you didn't have access as a time when bot activity was detected.

Comcat updated me with some additional information I thought I would pass along:

It appears that if the DNS Changer bot is no longer showing activity, costumers should be in the clear. The bot was neutralized in December, comcast had stepped up notifications to alert people they were infected so the time stamp shown is most likely not when infected or the first time your network system had bot activity, it was when comcast stepped up notifications so people can could fix the problem.

I am aware others were notified earlier then I had been., If our computers were infected for up to 2 months before notification, I really do wish they would have done the notification process quicker.

I'm still happy they informed us but the computer was most likely infected for at least 2 months or longer.

Luckily it was not my main one but everyone should be aware the dates you recieved notice may not be the accurate date of how long you were infected.

AGhelp,

I need to clarify your statement a bit.

You are correct that the bot has been rendered ineffective for it's original, nefarious purposes.  However, the fallout from the bot is that infected computers and networking devices will have incorrect DNS settings.  As a result, once the federal deadline (now July 9th) passes, any machines that have not fixed their settings will no longer be able to access the internet.

This is NOT due to any action by Comcast.  Once your DNS settings are fixed on your computer or networking device you will restore your ability to access the internet.

Essentially  your computer has the wrong settings to look up how to address anything on the internet.  Removing the bot (or the bot being taken down) doesn't fix the fact that the settings, which are stored on each person's computer, are incorrect.

Hopefully that makes sense.

Yes,

I should have clarified that the settings had to be changed on routers to. It's part of your fix steps so I didn't state that portion.

My understanding was that once the infection of the entire network (computer and router) has been cleaned correctly and reset, then you are okay as far as this particular bot. Correct me if I misunderstood. If I understood correctly, they were able stop the bot from infecting systems since December. 

If I understood correctly, I had to have been infected already although I never recieved notice until Feb 18 and the letter on the 28th. It was suggested the infection occurred sometime before wit as "taken care of/ eradicated" in December. However, it does show up on computers that was infected before that.

Basically, the point is: I was probably infected last year and didn't know.

Many people had recieved notices prior to that through various alerts systems (pop-ups, email, phone calls, or whatever). The fact that I wasn't informed of the infection before febuary does not mean that's when I got infected with it.

For example, I thought there was 2 instances of bot activity for this on our system. Both were in Feb. Therefore, I was trying to narrow down where I may have went on the internet to be infected. However, it's my understanding it was eradicated from infecting new systems by that time.

IF YOUR SYSTEMS successfully clean and DNS settings successfully change, you should not have to repeatedly keep checking if you have this bot. Although protecting yourself is still important.

That was the only point I was trying to make, a person can't get RE-INFECTED, it should only show the activity on that bot if it wasn't successfully taken care of the first time.

As far as comcast, I was only making a comment that some people had been informed of infected systems as early as October and November from what I can see. If you could only get this one up until December, some of us were infected and didn't know it until we got the notification.

I was told that comcast increased their notification to beat the deadline and help us stay online. I really have no idea whether you were aware of the infection on our system before you informed me. Only your records know that information. I'm grateful but wish I would have known sooner. After clarification, I'm sure that this was probably not the only 2 times it showed up on our system.

I'm basically trying to say: If you are still getting notices probably not fixed correctly. If not, should be clear of this bot

I had these DNS_changer alert popup messages from Constant Guard sometime in late February. I immediately reinstalled Windows on my computer and reset my wifi router and changed its admin password. The https://amibotted.comcast.net/ website showed that I was clear after that for about 10 days. On 8 March I again had the popup letting me know that DNS_changer bot was last seen on 7 March sometime in the early afternoon local time (Times seen: 5). I downloaded and installed NPE and AVIRA DNS repair tool and checked and couldn't find anything. I again reset my wifi router and once again changed the password for its admin. I checked on https://amibotted.comcast.net/  website once again to see activity in last 24 hours and it said I am all clear. But tonight again, I got the popup alert and I check https://amibotted.comcast.net/ and I see that DNS_changer last activity was seen on 2012-03-09 18:58:05 Local Time and under TIMES SEEN: 10. But when I go to "View results for last 24 hours", it shows that I am in the clear. 

Since it is repeatedly reporting activity of the bot after irregular intervals, I am assuming that something is still wrong in my network. I wonder if anyone in this forum has observed similar intermittent activity of the bot?

Any suggestion as to what I can do?

Thanks..

FaY 

When my computer report came out at amibotted, it showed 13th. Comcast said 17th. I had them double check and no activity. However, I'm not sure reinstalling windows would have fixed it.

They have 3 steps

Nortons eraser tool, which will say it found something and ask if you wan it erased.

One click fix (I believe changes dns changer settings on computer for your internet)

and then resetting the routers name/password/ and preferably the encryption

May try that and request comcast themselves to give you a date of last activity

---

qriopal wrote:

I had these DNS_changer alert popup messages from Constant Guard sometime in late February. I immediately reinstalled Windows on my computer and reset my wifi router and changed its admin password. The https://amibotted.comcast.net/ website showed that I was clear after that for about 10 days. On 8 March I again had the popup letting me know that DNS_changer bot was last seen on 7 March sometime in the early afternoon local time (Times seen: 5). I downloaded and installed NPE and AVIRA DNS repair tool and checked and couldn't find anything. I again reset my wifi router and once again changed the password for its admin. I checked on https://amibotted.comcast.net/  website once again to see activity in last 24 hours and it said I am all clear. But tonight again, I got the popup alert and I check https://amibotted.comcast.net/ and I see that DNS_changer last activity was seen on 2012-03-09 18:58:05 Local Time and under TIMES SEEN: 10. But when I go to "View results for last 24 hours", it shows that I am in the clear. 

 

Since it is repeatedly reporting activity of the bot after irregular intervals, I am assuming that something is still wrong in my network. I wonder if anyone in this forum has observed similar intermittent activity of the bot?

 

Any suggestion as to what I can do?

 

Thanks..

FaY 

---

qriopal,

We haven't seen DNS Changer traffic from your modem since the 10th. The best thing you can do is check all your network settings and make sure they're using proper DNS Servers.

I believe that would mean it's not clear yet if seen on 10th, at least from previous posts. I believe you said you ran checks on the 8th and reset everything

Are you doing the one click fix after power eraser (2nd step)?

Also, I ran power eraser 2 times in a row on all computers before it was found.

Are you resetting the router to something used previously (default, same password/name, or encryption)?

Could someone else be using your network? Is it secured with a passkey?

Questions for Comcast to answer:

1) How does this bot attack and spread? Opening an email attachment; through an internet link? Can I pass on the bot to another computer if I use a thumb drive to transfer files between two computers, for instance? Is there any information available about what actions increase the vulnerability of an uninfected computer to get infected with Alureon?

2) Is this bot only known to attack devices that run Windows and Mac OS or can a device running Android or iOS or Ubuntu linux also get infected?

3) I hear that the bot can also change the DNS settings of home routers. Will factory resetting and changing the type of encryption and administrator password of routers enough to make sure that changes made by the bot are reversed? Can the bot also reside on the ROM of routers or do they only reside on computers running Windows or MacOS and only affect the routers by making changes to the routers settings? That is, hypothetically speaking, if I purchase a new computer and get rid of my current infected computer and factory reset my home router, (and change its encryption type and its password), can I then be sure that I am totally clear at least till a new copy of the bot attacks my computer once again?

4) I notice that the activity of the bot is intermittent. Based on my observation of my networks reporting of bot activity through amibotted.comcast.net website, I find the bot activity happens on average once in six days. It does not attempt to look up the rogue DNS servers every time I click on an web link. So can I assume that after July, when FBI shuts down the rogue DNS servers, I will not see a complete shutdown of my Internet access but will only occassionally notice disruption of service for a few minutes when the bot sleeping on my system wakes up once in six days or so?

5) I called Comcast to ask them what additional info they have that might help me clean my computer to get rid of the bot. They said that their technicians can help me solve the problem for a fee of $100. Why can’t they just publish a detailed manual of what ADDITIONAL fixes their technicians apply in such situation as compared to the three-step-fix that they are currently advising their self-help users. That way, some of us who do not have a spare $100 to get my computer fixed can work on our own to deal with the situation. Is Comcast looking at this Alureon epidemic as a money-making opportunity? My computer is not worth $100 dollars. I would rather go buy a new computer than to pay Comcast $100 for this fix.  

Dear AGhelp, 

Thanks. Yes, I have had 2 more instances of the bot activity since I last reported on 8 March. So the bot is definitely somewhere still on my hard disk. 

As to your question, yes, I used the one click fix after power eraser (2nd step) i.e., I ran the Comcast's batch file to make sure that I have my internet settings to DHCP.

I reset my router and then changed the default encryption to a different encryption and also changed the password to a new password. And I have no reason to suspect that someone else might be using my network. Yes, I have a long enough passkey for the encryption I am using. 

Any other suggestions?

Qriopal

qriopal, I'll do my best to answer your questions here.

1) Unfortunately it is spread in numerous ways. Sometimes something as simple as an ad loading on a website is enough to get this nasty fella on your machine. Therefore it's often rather difficult to sort out how you got infected. It is known to put itself on removable drives as well.

2) We haven't seen any reports of a Linux based device being infected, but we have seen a lot of Macs with the malware. Because OSX is Unix based, it's defiantly possible that a Linux based machine gets infected.

3) Yes, resetting your router to factory defaults should fix it. I haven't seen any reports of it actually flashing routers with different roms. While getting a new computer would surely solve the immediate problem, it shoudn't be required. Worst case scenario is that you would have to format your hard drive if you weren't able to remove the bot completely. But the answer to your question is 'Yes'.

4) That is possible, yes. When you see the notice, are you finding that your DNS settings have been changed? If not, I suspect the bot is just 'phoning home' and therefore shouldn't be noticed when the servers are turned down.

5) Great question. No, we aren't looking at it as a money making opportunity. We do offer the paid service as an option because some people would rather go that route. There's also the issue of being able to train every tech you might speak with before the clock runs out. We're doing to the best we can to get the information out as fast as possible. If you call CSA, they should be able to walk you through most situations.

Please let me know if you have any further questions. It's worth noting that I do see you ip still hitting the ISC Servers on the 18th - Nothing yet for today.

@cc_adame

Thanks for those answers. This gives me some idea of what to do next. As to your question in bullet point #4, no, I have not yet seen any change in my DNS settings after every time Constant guard / amibotted reports me of the bot activity. I will then try to reformat the hard disk and reinstall windows to see if it solves the problem.

Thanks much.

Anirban